We wanted to provide a quick update on the threat landscape and announce that we will release a security update out-of-band to help protect customers from this vulnerability. (...) Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability.

For Microsoft, the "escalating threat environment" mentioned in my first quote is the threat to their image, not the actual hole in their browser. :) I assume they don't actually have a patch currently, so they're simply making noise and promises in an attempt to reassure.

"Out of band" is Microsoft-speak for releasing a patch on a day other than the monthly "Patch Tuesday" - MS usually releases all patches on a strict schedule so that system administrators can plan ahead. Out of band is the exception.

In the meantime, we are hearing that the folks at VUPEN have found a way to bypass DEP as long as javascript is enabled (no, this doesn't appear to be the .NET ones from last year) which would make even IE8 vulnerable, we don't have the details at present, but if true this is a major development. This is a concern since Microsoft's advice is for those using IE6 and IE7 to move to IE8 where DEP is on by default. In any event, we continue to monitor the situation.

PR machine: there is no confusion whatsoever, customers should just drop IE/Windows.

Amen. But, we need to realize how difficult dropping IE would be for so many large firm's intranets? A lot of these jack-leg systems were built assuming IE was IT. Then folks (everyone from clerks to VPs) go home and want to see the same browser they use at their jobs.

It's one of the few cases in the internet biz where major, sustainable benefits did actually fall to the early mover.

This is an advance notification of one out-of-band security bulletin that Microsoft is intending to release on January 21, 2010. The bulletin will be for Internet Explorer to address limited attacks against customers of Internet Explorer 6, as well as fixes for vulnerabilities rated Critical that are not currently under active attack.

This patch should start rolling out via the usual update mechanisms from 10am PST on January 21st. The update will require a restart.

My biggest concern? This patch has certainly been rushed. Has it been tested properly?

My computer running IE6 got hit by this patch today. I installed the update and nothing blew up, but then again we use Firefox so this update was more of a covering bases thing. My machine with IE7 has not been offered an update yet.

Microsoft first knew of the bug used in the infamous Operation Aurora IE exploits as long ago as August, four months before the vulnerability was used in exploits against Google and other hi-tech firms in December, it has emerged. (...) BugSec's bulletin states that it reported the bug to the software giant on 26 August.

So MS has had months to prepare their patch. Of course, this means that "my biggest concern" is not the patch quality, but the five months that MS sat on their hands before being forced into releasing a solution, only due to the pressure of bad publicity.

Google-haters might suggest that Google's timing also served to discredit IE security compared to Chrome. I mean, Google probably knew the patch was ready and expected in February, so why not hurt MS by jumping the gun on an IE zero-day? I'll let others flesh out the conspiracy theory ;)